Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1553

ElytronXmlParser.parseAuthenticationClientConfiguration() requires additional Permission when runs with Security Manager

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 1.3.0.Final
    • 1.2.4.Final
    • None
    • None

    Description

      There is a difference between required Permission for ElytronXmlParser.parseAuthenticationClientConfiguration() method in version 1.1.7.Final (JBoss EAP 7.1.0.GA) and 1.2.4.Final (JBoss EAP 7.2.0.CD12.CR1) when runs with Security Manager. Version 1.2.4.Final newly requires Permission java.security.SecurityPermission putProviderProperty.WildFlyElytron. It fails with following Exception:

      java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/WildflyConfigXmlReproducerServlet.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.WildflyConfigXmlReproducerServlet.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
	at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
	at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
	at java.security.Provider.check(Provider.java:658)
	at java.security.Provider.putService(Provider.java:1120)
	at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
	at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$static$0(ElytronXmlParser.java:131)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
	at org.wildfly.security.auth.client.ElytronXmlParser$DeferredSupplier.get(ElytronXmlParser.java:2826)
	at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:116)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseClearPassword$49(ElytronXmlParser.java:2252)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$31(ElytronXmlParser.java:1065)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$27(ElytronXmlParser.java:1042)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$38(ElytronXmlParser.java:1108)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$22(ElytronXmlParser.java:836)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$27(ElytronXmlParser.java:1042)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$26(ElytronXmlParser.java:884)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationRuleType$11(ElytronXmlParser.java:716)
	at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$12(ElytronXmlParser.java:742)
	at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:351)
	at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:227)
	at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:188)
	at com.redhat.eap.qe.elytron.authnctx.WildflyConfigXmlReproducerServlet.parseAndCreateAuthenticationClientConfiguration(WildflyConfigXmlReproducerServlet.java:51)
	at com.redhat.eap.qe.elytron.authnctx.WildflyConfigXmlReproducerServlet.doGet(WildflyConfigXmlReproducerServlet.java:44)
	...

      In case this change is expected then Release Notes Jira should be created.

      The same Permission is needed when authentication context is obtained from server configuration (through default-authentication-context in elytron subsystem):

      java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.direct-call-dep.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
	at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
	at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
	at java.security.Provider.check(Provider.java:658)
	at java.security.Provider.putService(Provider.java:1120)
	at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
	at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
	at org.wildfly.security.auth.client.AuthenticationConfiguration.lambda$static$0(AuthenticationConfiguration.java:169)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
	at org.wildfly.security.sasl.util.SecurityProviderSaslClientFactory.createSaslClient(SecurityProviderSaslClientFactory.java:85)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.FilterMechanismSaslClientFactory.createSaslClient(FilterMechanismSaslClientFactory.java:102)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory.createSaslClient(LocalPrincipalSaslClientFactory.java:76)
	at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.lambda$createSaslClient$0(PrivilegedSaslClientFactory.java:64)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.createSaslClient(PrivilegedSaslClientFactory.java:64)
	at org.wildfly.security.auth.client.AuthenticationConfiguration.createSaslClient(AuthenticationConfiguration.java:1348)
	at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.createSaslClient(AuthenticationContextConfigurationClient.java:395)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:420)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

      or when authentication context is created programatically:

      java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/programatically-set-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.programatically-set-dep.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
	at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
	at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
	at java.security.Provider.check(Provider.java:658)
	at java.security.Provider.putService(Provider.java:1120)
	at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
	at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
	at org.wildfly.security.auth.client.AuthenticationConfiguration.lambda$static$0(AuthenticationConfiguration.java:169)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
	at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
	at org.wildfly.security.sasl.util.SecurityProviderSaslClientFactory.createSaslClient(SecurityProviderSaslClientFactory.java:85)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
	at org.wildfly.security.sasl.util.FilterMechanismSaslClientFactory.createSaslClient(FilterMechanismSaslClientFactory.java:102)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
	at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory.createSaslClient(LocalPrincipalSaslClientFactory.java:76)
	at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.lambda$createSaslClient$0(PrivilegedSaslClientFactory.java:64)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.createSaslClient(PrivilegedSaslClientFactory.java:64)
	at org.wildfly.security.auth.client.AuthenticationConfiguration.createSaslClient(AuthenticationConfiguration.java:1348)
	at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.createSaslClient(AuthenticationContextConfigurationClient.java:395)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:420)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1558 WildFlyElytronProvider is not initialized with appropriate privileges

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              fjuma1@redhat.com Farah Juma
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: